Unicenter AutoSys Job Management Integration ... - SupportConnect

Unicenter AutoSys Job 

Management 

Integration with eTrust Access Control User 

Guide 

X00000-1E

This documentation and related computer software program (hereinafter referred to as the “Documentation”) is for 

the end user’s informational purposes only and is subject to change or withdrawal by Computer Associates 

International, Inc. (“CA”) at any time. 

This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without 

the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright 

laws of the United States and international treaties. 

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for 

their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only 

authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the 

license for the software are permitted to have access to such copies. 

This right to print copies is limited to the period during which the license for the product remains in full force and 

effect. Should the license terminate for any reason, it shall be the user’s responsibility to return to CA the reproduced 

copies or to certify to CA that same have been destroyed. 

To the extent permitted by applicable law, CA provides this documentation “as is” without warranty of any kind, 

including without limitation, any implied warranties of merchantability, fitness for a particular purpose or 

noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or 

indirect, from the use of this documentation, including without limitation, lost profits, business interruption, 

goodwill, or lost data, even if CA is expressly advised of such loss or damage. 

The use of any product referenced in this documentation and this documentation is governed by the end user’s 

applicable license agreement. 

The manufacturer of this documentation is Computer Associates International, Inc. 

Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or 

DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions. 

© 2004 Computer Associates International, Inc. 

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Contents 

Chapter 1: Working with eTrust Access Control and Unicenter 

AutoSys Job Management 

Architecture...................................................................................................................................................... 1-1 

Integrating eTrust Access Control Model with Unicenter AutoSys Job Management......................... 1-2 

Chapter 2: Real World Situations 

Scenario 1: Defining Naming Standards ........................................................................................................ 2-1 

Defining the eTrust Rule........................................................................................................................... 2-2 

Administrator Role ................................................................................................................................... 2-2 

Scenario 2: Securing Machines ........................................................................................................................ 2-4 

Navigating the Policy Manager................................................................................................................ 2-4 

Scenario 3: Stopping the event_demon........................................................................................................... 2-7 

Scenario 4: Job Ownership............................................................................................................................... 2-8 

Conclusion........................................................................................................................................................ 2-9 

Appendix A: Job Naming Conventions 

Naming Conventions...................................................................................................................................... A-1 

Appendix B: Troubleshooting 

General Issues and Resolutions.......................................................................................................................B-1 

HP Issue............................................................................................................................................................B-3 

Web Interface Problem ....................................................................................................................................B-3 

Contents 

iii

Chapter 

1 

Working with eTrust Access 

Control and Unicenter AutoSys 

Job Management 

With the arrival of Unicenter AutoSys Job Management 4.5, an external security 

methodology is now provided through eTrust Access Control (eTrust AC). By 

utilizing eTrust AC, job scheduling administrators are able to provide a more 

granular level of control towards defining job attributes and administer 

application level control to ensure security and enforce standards. The purpose 

of this guide is to describe the integration between eTrust AC and Unicenter 

AutoSys Job Management as well as provide examples you can possibly find in 

the real world. This document can be used in providing a quick start in 

implementing an Unicenter AutoSys Job Management environment secured 

through eTrust AC. 

Architecture 

eTrust AC as a standalone solution provides security to servers through a 

client/server subscription model. Within an enterprise, an administrator installs 

an eTrust server master database, otherwise referred to as a Policy Model 

Database (PMDB). This eTrust server acts as the parent server for which eTrust 

clients could subscribe to receive policy rules. eTrust clients store policy rules in 

a local database, known as a seosdb. After an eTrust client is subscribed to an 

eTrust Server, the PMDB pushes out all access control rules to the eTrust client 

database (seosdb). The benefit of having such an architecture is that the security 

administrator only needs to update the PMDB, and after doing so, the newly 

created policy will be pushed out to all subscribed clients. 

Working with eTrust Access Control and Unicenter AutoSys Job Management 1–1

Architecture 

Integrating eTrust Access Control Model with Unicenter AutoSys Job 

Management 

With policy rule databases now implemented throughout your environment, you 

want to be able to tie these rules in with Unicenter AutoSys Job Management 

scheduling clients to secure the more granular aspects of job scheduling, 

including job definitions, web interface access, listing jobs, and controlling the 

Unicenter AutoSys Job Management environment (e.g. stopping the event 

processor). 

Unicenter AutoSys Job Management references the eTrust AC before allowing 

any changes to be submitted. By checking first with the eTrust client database on 

your Unicenter AutoSys Job Management client machines, Unicenter AutoSys 

Job Management can allow or deny changes to the Unicenter AutoSys Job 

Management environment. To gain a fuller understanding, let us take a look at 

the following diagram and follow the Unicenter AutoSys Job Management logic 

for an eTrust AC environment. For more detailed information on this integration, 

please refer to the Unicenter AutoSys Job Management User Guide. 

1–2 Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide

Architecture 

1. Create policy rules in the PMDB. These rules will be pushed out to the 

eTrust client machines. 

2. When a command is issued from Unicenter AutoSys Job Management 

(e.g. sendevent, jil, autorep), Unicenter AutoSys Job Management queries 

the eTrust client database to determine if there are any access 

restrictions. 

3. The eTrust database returns an allow or deny message based on the 

actions you are trying to take with Unicenter AutoSys Job Management. 

4. If access is granted, Unicenter AutoSys Job Management then proceeds 

to access the database to change or access the information you require. If 

you are denied access, a message appears indicating the resource 

requirements you failed to fulfill. 

Unicenter AutoSys Job Management Defined Classes in eTrust Access Control 

When installed with Unicenter AutoSys Job Management, eTrust AC contains 

several user-defined classes which allow you to secure the Unicenter AutoSys 

Job Management environment. These classes are 

• as-job 

• as-calendar 

• as-owner 

• as-gvar 

• as-machine 

• as-control 

• as-view 

Working with eTrust Access Control and Unicenter AutoSys Job Management 1–3

Architecture 

• as-list. 

For a description of each of these classes, please refer to the Unicenter Unicenter 

AutoSys Job Management Job Management User Guide. 

By now, you should have a general overview of the integration between 

Unicenter AutoSys Job Management and eTrust AC. The next section goes into 

actual implementation of rules with common scenarios a Unicenter AutoSys Job 

Management administrator may run into and the steps they can take to ensure 

that security is enforced. 


Chapter 

2 

Real World Situations 

Your company has recently moved to Unicenter AutoSys Job Management 4.5 

and needs additional security for job definitions. You have recently consolidated 

your disparate Unicenter AutoSys Job Management instances, so they will need 

to maintain security between these jobs. By using the as-classes in eTrust, 

Unicenter AutoSys Job Management 4.5 can help your company in securing your 

environment while allowing it to expand. 

The job scheduling group for your company consists of four groups with distinct 

roles: 

• Administrators - define the rules 

• Developers - create the jobs and define them to the Unicenter AutoSys 

Job Management database 

• Scheduling operators - monitor their particular job flows and take action 

on failed jobs by resubmitting them 

• Casual users 

Scenario 1: Defining Naming Standards 

Your company has attempted to enforce naming conventions for jobs so that they 

can be easily identified by the scheduling operators. However, at times, these 

naming conventions are not adhered to by some developers who forget the 

syntax of this nomenclature. Your scheduling administrator does not want any 

jobs to be created within the database that do not follow this naming standard. 

eTrust AC functions optimally when naming conventions are followed. It would 

be much easier to define rules when job names, global variables, and calendars 

follow a standard. As a job name standard, CA recommends that you define your 

job names with something similar to the following: 

applicationIdentifier_boxname_jobname 

Real World Situations 2–1


Defining the eTrust Rule 

Let’s say, for example, following this schema, the Unicenter AutoSys Job 

Management administrator in your company wants Developer1 to be able to 

create and edit jobs for the finance application and Developer2 to create and edit 

jobs for the payroll application and all of the jobs must follow the naming 

convention. The naming conventions for these jobs are: 

FIN_* 

PAY_* 

To create and edit rules within eTrust, you can use the GUI-based Policy 

Manager provided on Windows, or the selang command prompt utility provided 

on both UNIX and Windows platform (under the eTrustAccessControl\bin 

directory). This guide will provide information from a command line 

perspective. 

1. At the command prompt, type selang to run the selang utility. 

2. When the selang command prompt appears it is connected to the local 

seosdb. To connect to the PMDB, enter 

Example: 

hosts autosys@hostname 

where the localhost is also the eTrust server machine. 

Target host: localhost 

eTrust selang v5.2.1173 - eTrust command line interpreter 

Copyright 2003 Computer Associates International, Inc. 

eTrust>hosts autosys@localhost 

(autosys@localhost) 

Successfully connected 

INFO: Target host's version is 5.2.1173 

OS info: Windows NT Version:5.1, Service Pack 1 

30 Jan 2004 15:31:21 Eastern Standard Time 

eTrust> 

Administrator Role 

Now the administrator needs to do two things: 

• Ensure that jobs being entered either begin with “FIN_” and “PAY_”. 

• Restrict Developer1 to only create the FIN_ jobs and Developer2 to create 

the PAY_ jobs. 



Change the default permissions for job creation for all users 

We will focus with the as-job class. Currently this class allows for default 

permissions for all users to create, edit, delete, execute, read, and write for all 

jobs. 

eTrust> showres as-job _default 


Data for as-job '_default' 

----------------------------------------------------------- 

Defaccess 

: R, W, X, Cre, Del 

Note: The syntax of our selang command consists generally of three parts: 

. It is helpful to remember this syntax when 

referring to resources. 

Now you need to change the default access for all jobs created in Unicenter 

AutoSys Job Management so that no one can write to the database unless 

authorized. You can do this through the editres command. 

eTrust> editres as-job _default defaccess(none) 


Successfully updated as-job _default 

You can see the results of this change by the same showres command. 

eTrust> showres as-job _default 


Data for as-job '_default' 

----------------------------------------------------------- 

Defaccess : None 

Update time : 30-Jan-2004 15:42 

Updated by : Administrator 

Create a new resource for FIN_* jobs and allow only creation and editing of these jobs by 

Developer1. 

Now that you have essentially denied access for creating and editing of jobs for 

all users, you can start defining new eTrust resources based on the job names you 

want to allow to be created as well as the users that will create and edit them. 

Let’s start with the FIN_* jobs. 


Scenario 2: Securing Machines 

To create a resource, issue the newres command. 

eTrust> newres as-job FIN_*.ACE 


Successfully created as-job FIN_*.ACE 

Each resource has standard syntax of 

name. 

The instance extension allows you to have multiple Unicenter AutoSys Job 

Management clients for different instances on the same machine and reference 

the same eTrust client database. In this case, you only specify the rule for 

instance ACE. If you wanted the rule to span all instances, you could just omit 

the instance identifier, e.g. newres as-job FIN_*. 

Now you want to authorize Developer1 to create and edit the jobs. Assuming 

that Developer1 is in the eTrust database, you can use the authorize command. 

eTrust> authorize as-job FIN_*.ACE uid(developer1) access(create, write) 


Successfully added developer1 to FIN_*.ACE's ACL 

You have just ensured that the only user allowed to create jobs is Developer1. 

More importantly, Developer1 is only allowed to create and edit jobs that start 

with “FIN_”. 


Your company has a wide range of machines within its environment, however, 

you want to differentiate between your production instance (PRD) and your 

development instance (DEV) such that PRD can only schedule jobs on 

production machines specified by PRD_* and DEV can only schedule to 

development machines specified by DEV_*. By doing so, you can ensure that a 

developer who is creating a job flow does not mistakenly run on a production 

machine, or that jobs that should run on production do not run on a 

development machine. In addition, it will limit the machines that jobs can be 

scheduled to so there can be no rogue remote agent machines. 

Let’s approach this from a user interface perspective on the Windows platform. 

Navigating the Policy Manager 

To launch the eTrust Policy manager, in the Start Menu, select Programs, CA, 

eTrust, AC, Policy Manager. As described in scenario 1, you will need to connect 

to your PMDB by clicking and selecting the PMDB to connect to. 



Once you have connected, you should be able to view the User Defined Resource 

classes for use with Unicenter AutoSys Job Management. Click in the left 

hand pane. 

Similar to the selang command line utility, you should see the Unicenter AutoSys 

Job Management user defined classes as specified. 

Note: In this scenario, the class that we will focus on will be as-machine. Select 

the default policy for the as-machine class and click Set Default Access. 

Referring back to the scenario, you want to be able to secure machines Unicenter 

AutoSys Job Management jobs can be scheduled to. 



Prevent users from being able to define jobs that can be scheduled to any machine 

1. Set the default access to None. As a result of this, no user will be able to 

create a job with any machine name. 

Allow users in the DEV group to only create jobs with machines that start with DEV_*. 

1. Right-click in the right hand pane under the default policy and select 

New for a new resource. 

2. Enter the resource Name DEV_*.DEV. 


Scenario 3: Stopping the event_demon 

3. Click Authorize. Select a new group to have full permission on machines 

starting with DEV_* in the DEV instance. Click OK. 

Allow users in the PRD group to only create jobs with machines that start with PRD_*. 

1. Right-click in the right hand pane under the default policy and select 

New for a new resource. 

2. Enter the resource Name PRD_*.PRD. 

3. Click Authorize. Select a new group to have full permission on machines 

starting with PRD_* in the PRD instance. Click OK. 

Scenario 3: Stopping the event_demon 

Your company needs to control who can stop the event_demon. This was once 

controlled by the Unicenter AutoSys Job Management exec super user. However, 

now that an external security provider (eTrust) has been integrated with 

Unicenter AutoSys Job Management, once eTrust is enabled, the Unicenter 

AutoSys Job Management super user concept is overridden. You can control 

Unicenter AutoSys Job Management administration via the as-control class. The 

next steps will explain how you will authorize certain users to be able to stop the 

event_demon while revoking these rights for others. 

By default, after eTrust AC has been turned on, the default permission to stop the 

event_demon is execute for all users. This will be one of the first items you will 

need to address before deciding to enable eTrust AC. 

Unicenter AutoSys Job Management administrative access controls are stored in 

the as-control class. When querying the STOP_DEMON* resource through 

selang, we can see the default access permissions for this resource. 

eTrust> sr as-control STOP_DEMON* 


Scenario 4: Job Ownership 


Data for as-control 'STOP_DEMON*' 

----------------------------------------------------------- 

Defaccess : X 

Audit mode : Failure 

Owner : Administrator (USER) 

Create time : 29-Oct-2003 11:11 

Update time : 29-Oct-2003 11:11 

Updated by : Administrator 

Comment : Controls who can stop the Unicenter Unicenter AutoSys Job 

Management JM Event Processor 

Once again, you need to disable the default access permissions and authorize a 

select group of users to be able to stop the event_demon. As a reinforcement of 

the walkthroughs given above, you will need to perform the following steps to 

secure the STOP_DEMON* resource. 

1. Disable the default access to the resource. 

editres as-control STOP_DEMON* owner(nobody) defaccess(none) 

2. Authorize the specific user (root) to be able to issue a STOP_DEMON. 

auth as-control STOP_DEMON* uid(root) access(X) 

Now, only the root user should be able to issue the STOP_DEMON command 

and have it succeed. All other users will not be allowed to stop the event 

processor. 

Scenario 4: Job Ownership 

Your company wants to further secure their environment by restricting user 

access to run jobs as the root user. In order to do this, you need to create a policy 

where a job cannot be owned by the root user, thus disabling any possibility of a 

job being defined that is owned by the root user. By doing this, you will be better 

able to audit what particular users do without having to worry about people 

running jobs under the root user. 

The particular class you are interested in is as-owner. This class controls who can 

own job (based on the owner attribute of a job definition). Here you will deny all 

users the ability to create a job owned by the root user. As in the above examples, 

you will check the current default permissions on the “_default” resource under 

the as-owner class. 

1. Check the default permissions under the as-owner class through selang. 


Conclusion 

eTrust> showres as-owner _default 

(localhost) 

Data for as-owner '_default' 

----------------------------------------------------------- 

Defaccess 

: X 

Update time : 25-Nov-2003 11:24 

Updated by 

: root 

As you can see, all users are able to be defined as the owner, and the 

owner will be able to run this job. Let’s create a new specific resource 

which will deny the root user from owning a job, thereby, controlling 

root from ever executing a process on the remote agent machine. 

2. Define a new resource for the root user under the as-owner class, and 

deny this user execute permissions. 

eTrust> newres as-owner root* owner(nobody) defaccess(none) 

(localhost) 

Successfully created as-owner root* 

Conclusion 

Hopefully, by now you should have a basic understanding to how eTrust AC 

integrates with Unicenter AutoSys Job Management. As you can see, there are 

many additional Unicenter AutoSys Job Management user-defined classes to 

eTrust AC which will help you in securing additional items like calendars and 

global variables. Security does not only encompass access rights to these 

Unicenter AutoSys Job Management elements, you can also use it to enforce 

naming conventions for jobs as well as limit how and where a job stream will 

flow. 

This quick start guide is meant to be used in conjunction with the security 

module in the current Unicenter AutoSys Job Management document. 


Appendix 

A 

Job Naming Conventions 

Naming Conventions 

All names start with a three letter application identifier. Underscore will be used to 

delimit name levels. If the job is in a box, the box name follows the application name. The 

job name comes after the box name. The “fw” extension must be added if the job is a file 

watcher job. Example job name: TRD_REPORTS_EOD223. 

The name TRD_REPORTS_EOD223 indicates that this job is from the TRD application, it 

is in the box REPORTS, and its name is EOD223. 

A file watcher job that is not in a box could be named like this: TRD_STRTAPP_FW. This 

job is also from the TRD application, it is not in a box, its name is STRTAPP and it is a file 

watcher job. 

Job Naming Conventions 1–1

Appendix 

B Troubleshooting 

The following section outlines some of the most common issues that occur while 

working with eTrust Access Control and Unicenter AutoSys Job Management 

together. 

General Issues and Resolutions 

Installation 

If you install eTrust AC, always make sure the client uses absolute the root or 

administrator account. Any form of “su” to root on UNIX or using a user that 

belongs to Administrator group will cause problems in eTrust. It is really hard to 

pinpoint exactly what problem it will cause because the symptom varies. This 

should be the very first thing support needs to verify on any eTrust related issue. 

Error: “You are not authorized to do…” in Unicenter AutoSys Job Management_secure. You are 

completely locked out of Unicenter AutoSys Job Management_secure. 

Cause 

The security word in the eTrust PMDB is out of sync with the one in Unicenter 

AutoSys Job Management DB. 

Resolution 

On Unicenter AutoSys Job Management side, delete the security word from the 

keymaster table. 

Command on the Autosys DB server: 

Delete from keymaster where keymaster.hostname = ‘SecurityWord’ 

Command on the eTrust server : 

rr as-control _ON. 

rr as-control _OFF. 

After that, reset the security word in Unicenter AutoSys Job Management_secure 

Troubleshooting B–1

General Issues and Resolutions 

Remarks 

This error is caused by a synchronization error between the eTrust client and 

PMDB server. This can be manifested by viewing the as-control class in both 

client and server eTrust databases and checking to see if they are both there. If 

not, then instructions to resubscribe the client to the server should be provided 

before manipulating eTrust content that state “Please do not modify this 

content”. This brings up the issue of severity levels, solutions that you should try 

first and then ultimately to resolve an issue. We’ll run into this especially when 

clients have separate administrators for say job scheduling and security. If the 

Unicenter AutoSys Job Management admin knows that by deleting and running 

things here and there from the Unicenter AutoSys Job Management 

database/command line, they can essentially override any security that the 

security administrators are trying to enforce. 

Error: The Windows machine is locked down from login after installation of Web Interface 

Cause and Resolution 

For Unicenter AutoSys Job Management and WI, if you choose to install eTrust, 

absolute root/administrator user account must be used. If you belong to the 

Administrator group on Windows or “su” and “sudo” to root on UNIX this error 

will occur. 

Error: "Job Access Denied. 

Unicenter AutoSys Job Management/eTrust subscriber authentication error: 

the phACEE parameter is a null pointer 

Class: Resource: User: Access:" 

Cause 

The lookaside DB in eTrust in eTrust is not up-to-date. 

Resolution 

Execute ./sebuildla –a to rebuild the lookaside DB. Then recycle eTrust. 

Remarks 

eTrust support team suggests that you run “sebuildla –a” regularly to avoid this 

problem from happening. 

B–2 Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide

HP Issue 

HP Issue 

Core dump after entering multiple EDIT/EXEC superusers. Fix T346100 does not 

fix the problem completely. The core dump is gone but we still see the following 

problem. 

After entering multiple EDIT/EXEC superusers in the Unicenter AutoSys Job 

Management_secure, superuser got locked out of the Unicenter AutoSys Job 

Management_secure option 1-4. You can still see option 5-8. 

Workaround 

1. Logon to the Oracle DB from weather 

#zql –UUnicenter AutoSys Job Management –PUnicenter AutoSys Job 

Management –Sautodev 

2. Reset 2 values 

zql>update alamode set int_val=0 where type=’EVT’ 

zql>/ 

zql> update alamode set int_val=0 where type=’JOB’ 

zql>/ 

3. CONTROL-D key to get out of zql 

4. Restart Unicenter AutoSys Job Management_secure and the problem 

should be resolved. 

Web Interface Problem 

Issue 

Special characters (i.e. “!”) in the user ID prevent Web Interface from installing. 

Cause 

This is an InstallShield problem. InstallShield unpacks the JVM to %TEMP%, and 

starts the install wizard with that java. For some reason the ‘!’ in the path was 

preventing java from loading some properties files which are required for xalan 

so we got an exception doing an xsl transform. 

Troubleshooting B–3

Web Interface Problem 

Workaround 

The problem with the '!' seems not to be a bug in ISMP, but more a limitation of 

the xml parser. The '!' character acts as a comment character and so having that 

character in the classpath for java causes problems for the parser. The reason the 

'!' is part of the path to the jvm is because when you use a bundled jvm, the 

bundle is extracted to a temp location which is a subfolder of your home 

directory. Because of the '!' in your user ID, the path has the '!' as well. The work 

around to this is to specify the -is:tempdir switch to use a different temp location. 

This will allow you to specify a directory which does NOT have the '!' in the 

path. 

For example 

setupwin32.exe -is:tempdir C:\temp 

Will extract the bundled jvm to the C:\temp directory, and the install will be 

successful. 

B–4 Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide

Unicenter AutoSys Job Management Integration ... - SupportConnect

Create successful ePaper yourself

Delete template?

Save as template?